The above-mentioned U.S. patent application publication US 2002/0083175 describes a method for protecting against overload conditions in a set of one or more potential “victims” on a network, based on diverting traffic that is destined for the victims. To carry out this protection, a first set of network elements, such as routers, redirect the traffic to a second set of network elements, referred to as “guard machines.” The diversion is actuated when a potential victim comes under an anomalous traffic condition, such as might be caused by a Distributed Denial of Service (DDoS) attack. The guard machines filter the diverted traffic to remove malicious (or excessive) traffic, and forward the legitimate traffic on to the victim. The publication describes a number of methods by which traffic diversion may be effected.